Cybersecurity: Is Business Process The Next ‘Attack Surface’?

Cybersecurity: Is Business Process The Next ‘Attack Surface’?

Cybersecurity is rapidly becoming the single biggest issue facing hedge funds and asset managers. Each and every week we hear of a new breach or bug, and their complexity is only increasing. In one case, the CEOs of over 30 firms are meeting for two hours every week to discuss the issue, and this is a group that don’t usually take meetings during market hours. At Options, we now hold two weekly global business and engineering calls entirely dedicated to security, and the topic is now also a standing agenda item on our daily operations call. We have also now switched to quarterly penetration tests and will continue this practice for the foreseeable future.

In a worrying development, a number of funds have reported attacks where the criminals have hacked investor email accounts and made seemingly legitimate requests for redemptions, citing one pressing reason or another.

Such an evolution provides a massive headache for a firm’s IT. How do they protect against emails that, on the face of it at least, come from legitimate sources and make legitimate requests?

My personal take is that this isn’t a technology issue, or test of a firm’s technology; it is a test of the firm’s business processes.

Cyber threats may be a relatively recent occurrence but fraud certainly isn’t, and any well run Wall Street firm (or SME for that matter) has always implemented a range of standard approaches to make it much more difficult for any would-be fraudster to get access to a firm’s cash. Critically, this process can and should protect against both employee fraud and cybercrime.

My general recommendation is that every business should have a multilayered approach to purchasing and any payments or transfers made from the company coffers should be processed with maximum transparency, clear control points and with no single points of failure.

Generally, this will include the following:

A PO process for all expenditure other than salaries and expenses.

The PO process should be linked to payables and no invoice should be paid without a reference PO.

There should be clear separation of church and state, i.e. the people executing the POs should not be the same people making the payments.

Dual signatures should be mandatory on all bank accounts.

There should be a crosscheck process where all POs are cross-checked before approval and all payments cross-checked after approval.

Weekly bank recs are critical.

There should be a single control point for all contract signatures globally, generally the CAO.

There should be a second control point for all approvals globally, generally the COO or GM.

Neither the GM nor CAO should have the authority to actually make the payment, that should sit with the finance team.

The same process should be in place for new hires, pay rises, bonuses, commission payments, travel and expenses.

I’ve used this model in a number of businesses over the years. We used it in Wombat, even when we were managing only five employees, right up to NYSE Euronext, where we were managing a 1600 person engineering team, spread across 20 countries.

With Options, we run the global processes based on a set of customer Jira workflows that took a few days to implement. The approach is far from complicated and success is very much down to the mindset of those implementing it.

The key is to have a solid process in place so that the fraudster has to overcome a process rather than one single point of failure. Very often the attack surface is just one individual and this is the case whether the criminal attempts deception through a phishing email, or, as in the old days, forces the bank manager to open the safe by whatever means necessary (violence, extortion etc.). Robust business processes are critical and can go a long way towards removing that one key individual and that single point of failure.